|
Can someone recognize this code???
Hello,
sorry for posting what is problably a stupid question, but I was wondering if someone can recognize the following code: 00401620 PUSHAD 00401621 MOV EDI,xxxxxxxx.00401000 00401626 MOV ECX,xxxxxxxx.00401FFF 0040162B SUB ECX,EDI 0040162D MOV AL,0CC 0040162F REPNE SCAS BYTE PTR ES:[EDI] 00401631 JNZ SHORT xxxxxxxx.00401644 00401633 MOV EBX,xxxxxxxx.00402005 00401638 ADD BYTE PTR DS:[EBX],1 0040163B MOV ECX,xxxxxxxx.00401FFF 00401640 SUB ECX,EDI 00401642 JMP SHORT xxxxxxxx.0040162F 00401644 MOV EAX,xxxxxxxx.00402005 00401649 CMP BYTE PTR DS:[EAX],3 This code is somehow able to detect the presence of an application level debugger following code step by step. I was wondering if this is some checksum code. Thx. yaa |
?
well with cc in al, 401000 in edi and 1FFF in ecx if I'm not mistaken its checking for an int 3 in code section or maybe I need some zzzz's
|
Yep, I agree with Jay. It's scanning every byte between 401000 and 401FFF looking for 0xCC, which is the INT3 instruction. So, a simple If statement if it finds a breakpoint.
|
And if I'm not mistaken debuggers implement step-by-step execution of applications using a int 3 breakpoints. This explains everything.
Thank you. yaa |
Ollydbg has the ability to use hardware breakpoints to trace and step through code, hence does not need to write 0xCC into any part of the target programs code area, whilst still maintaining full functionality :)
|
Hello Squidge,
is I know about the HW breakpointsof OllyDbg (in fact I'm a great fan of Olly) ... From what you say I deduce that softice indeed (as I read) uses software breakpoint (int 3) as "its" breakpoints. yaa |
SoftICE is capable of setting hardware breakpoints also. The BPM command sets hardware breakpoints (technically, uses debug registers), while BPR, BPX, etc set INT3 breakpoints.
|
| All times are GMT +8. The time now is 21:48. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX